Useless log message "POSSIBLE BREAK-IN ATTEMPT"
Dan Mahoney, System Admin
danm at prime.gushi.org
Sat Dec 28 20:14:09 EST 2013
On Sat, 28 Dec 2013, Damien Miller wrote:
> On Fri, 27 Dec 2013, Dan Mahoney, System Admin wrote:
>
>> I think the point here is that there's no option for openSSH to then
>> *drop the connection* or refuse it. OpenSSH *checks*, but does not
>> *enforce* anything.
>
> That's not entriely true. from=... restrictions in authorized_keys and
> "Match host" sections in sshd_config depend on the hostname. In the
> reverse-mapping check failed case, they don't get to see the original
> (probably untrustworthy) hostname and are just passed the IP address.
Right, and that was my point -- if you have a bunch of "match host"
blocks, what do you put *outside* those blocks to just deny all
connections? I don't see an option like "AllowUsers None" or "DenyUsers
All" or "DenyUsers *", at least according to the manpage.
In theory you could disable all authentication methods, which will cause
login to fail, but there's no easy way to do an apache-style "deny from
all", which in theory should happen even without doing a handshake in this
situation.
> Basically, the things that depend on the hostname will not be shown one
> that appears spoofed.
Okay, and will the things that depend on the hostname work at all if
UseDNS is turned off?
-Dan
--
"A mother can be an inspiration to her little son, change his thoughts,
his mind, his life, just with her gentle hum."
-No Doubt, "Different People", from "Tragic Kingdom"
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the openssh-unix-dev
mailing list